The Use of Management Standards in Trustworthy Digital Ar- chives

Susanne Dobratz*, Peter Rödig**, Uwe M. Borghoff**, Björn Rätzke****, Astrid Schoger***

*Humboldt-Universität zu Berlin, University Library **Universität der Bundeswehr München / University of Unter den Linden 6 the Federal Armed Forces Munich, D-10099 Berlin Werner-Heisenberg-Weg 39, [email protected] D-85579 Neubiberg peter.roedig| [email protected]

***Bayerische Staatsbibliothek / Bavarian State Library ****Rätzke IT-Service Ludwigstraße 16, Strasse 58 Nr. 10, D-80539 München, D-13125 Berlin, [email protected] [email protected]

Abstract is one of the essential parts to be- The existence of such criteria led to increased conception come a trustworthy digital archive. The German network and installation of digital archives during the last couple of expertise in Digital long-term preservation (nestor), in of years. It also created new discussions on the impor- cooperation with the German Institute for Standards tance and applicability of existing standards as many of (DIN) has undertaken a small study in order to systemati- the organisational criteria in those catalogues refer to cally analyse the relevance und usage of quality manage- specific ISO quality management standards like ISO ment standards for long-term preservation and to filter out 9000 etc. the specific standardisation need for digital archives. This During the establishing of a DIN/ISO Working Group in paper summarises the first results of the study. It gives a Germany for defining criteria for trustworthy digital first overview on the differences in understanding the task “quality management” amongst different organisa- archives, the ostensible question on the recent degree of tions and how they carry out appropriate measures like acceptance and usage of quality management standards documentation, transparency, adequacy, and measureabil- within the cultural heritage sector (libraries, archives, ity in order to demonstrate the trustworthiness of their museums) arose. Therefore the German Institute for digital archive. Standards (DIN) sponsored a small study in order to systematically analyse the relevance und usage of quality management standards for long-term preservation and to 1 Introduction filter out the specific standardisation need for digital archives. This study has two parts: (1) a survey amongst Already in 1996, the Task Force on Archiving of Digital different digital archives and (2) an analysis of standards Information by The Commission on Preservation and for the management of quality, processes, and security. It Access and the Research Libraries Group called for a discusses the relevance and applicability in practice of certification programme for long-term preservation re- those standards for use within a digital preservation envi- positories: ‘…repositories claiming to serve an archival ronment. It shows, how and which standards related to function must be able to prove that they are who they say quality management are in use in digital archives of they are by meeting or exceeding the standards and different kind in Germany: libraries, archives, data cen- criteria of an independently-administered program for tres, publishers, museums. archival certification ...’ [11]. Some investigations in creating criteria and measuring the risk for a long-term preservation of digital objects have been carried out by 1.1 Long-term preservation and trustworthy several stakeholders, like the ‘Cornell Library Virtual digital archives Remote Control Tool’ project of Cornell University[5], One of the central challenges to long-term preservation the ERPANET project[4], and most recently by the Digi- in a digital repository is the ability to guarantee the au- tal Repository Certification Task Force of the Research thenticity and interpretability (understandability) of digi- Libraries Group (RLG) and OCLC, the Digital Curation tal objects for users across time. This is endangered by Centre (DCC) in cooperation with the European Com- the aging of storage media, the obsolescence of the un- mission funded project Digital Preservation Europe derlying system, the application software as well as (DPE) and the German nestor project. changes in the technical and organisational infrastruc- based on documentation may also prevent mistakes and ture. Malicious or erroneous human actions also put inappropriate implementations. Adequate documentation digital objects at risk. Trustworthy long-term preserva- can help to prove the completeness of the design and tion in digital repositories requires technical, as well as architecture of the long-term digital archive at all steps. organisational provisions. A trustworthy digital reposi- In addition, quality and security standards require ade- tory for long-term preservation has to operate according quate documentation. to the repository’s aims and specifications. Key concepts Transparency that demonstrate trustworthiness are e.g. transparency Transparency is achieved by publishing appropriate parts and documentation. In order to evaluate trustworthiness of the documentation, which allows users and partners to the measures taken in order to minimize the risk potential gauge the degree of trustworthiness for themselves. Pro- for the digital objects representing the important values ducers and suppliers are given the opportunity to assess in digital archives, have to be appropriate, measureable, to whom they wish to entrust their digital objects. Inter- and traceable. nal transparency ensures that any measures can be traced, and it provides documentation of digital archive quality Trustworthiness to operators, backers, management, and employees. Trustworthiness of a system means that it operates ac- Parts of the documentation which are not suitable for the cording to its objectives and specifications (it does ex- general public (e.g. company secrets, security-related actly what it claims to do). From an information tech- information) can be restricted to a specified circle (e.g. nology (IT) security perspective, integrity, authenticity, certification agency). Transparency establishes trust, confidentiality, non-repudiation, and availability are because it allows interested parties a direct assessment of important building blocks of trustworthy digital archives. the quality of the long-term digital archive. Integrity refers to the completeness and exclusion of Adequacy unintended modifications to archive objects. Unintended According to the principle of adequacy, absolute stan- modifications could arise, due to malicious or erroneous dards cannot be given. Instead, evaluation is based on human behavior, or from technical imperfection, dam- the objectives and tasks of the long-term digital archive age, or loss of technical infrastructure. Authenticity here in question. The criteria have to be seen within the con- means that the object actually contains what it claims to text of the special archiving tasks of the long-term digital contain. This is provided by documentation of the prove- archive. Some criteria may therefore prove irrelevant in nience and of all changes to the object. Availability is a certain cases. Depending on the objectives and tasks of guarantee (1) of access to the archive by potential users the long-term digital archive, the required degree of and (2) that the objects within the archive are interpret- fulfilment for a particular criterion may also differ. able. Availability of objects is a central objective, which must be fulfilled in relation to the designated community Measurability In some cases - especially regarding long-term aspects - and its requirements. Confidentiality means that infor- mation objects can only be accessed by permitted users. there are no objectively assessable (measurable) features. Potential interest groups for trustworthiness are: In such cases we must rely on indicators showing the degree of trustworthiness. As the fulfillment of a certain • archive users who want to access trustworthy criteria depends always on the designated community, it information – today and in the future, is not possible to create “hard” criteria for some of them, • data producers and content providers for whom e.g. how can be measured, what adequate metadata is? trustworthiness provides a means of quality as- Transparency also makes the indicators accessible for surance when choosing potential service pro- evaluation. viders, • resource allocators, funding agencies and other Recent research on trustworthy digital repositories institutions that need to make funding and The ideas discussed in this paper are based on early de- granting decisions, and velopments on a framework describing requirements and • long-term digital archives that want to gain functionalities for archiving systems that focus on the trustworthiness and demonstrate this to the pub- long-term preservation of digital materials, the Open lic either to fulfill legal requirements or to sur- Archival Information System (OAIS) [2]. From that vive in the market. work the Digital Repository Certification Task Force of the Research Libraries Group (RLG) and OCLC derived There is a wide range of preservation archives that exist attributes and responsibilities for so called trusted digital or are under development: from national and state librar- repositories in 2002 [10] and finally released in February ies and archives with deposit laws; to media centres 2007, under the title: Trustworthy Repositories and having to preserve e-learning applications; to archives Certification Checklist (TRAC) [7], a checklist useable to for smaller institutions; to world data centres in charge of conduct , worked out by the Auditing and Certifi- ‘raw’ data. Trustworthiness can be assessed and demon- cation of Digital Archives project run by the Center for strated on the basis of a criteria catalogue. Research Libraries (CRL). The German nestor project Documentation developed a catalogue of criteria in 2004 and a second The goals, concepts, specifications, and implementation version in 2008. nestor is concentrating on the specific of a long-term digital archive should be documented national situation and allaborates the catalogue as guide- adequately. The documentation demonstrates the devel- line for the conception and design of a trustworthy digital opment status internally and externally. Early evaluation archive [6]. The Digital Curation Centre (DCC) in coop- eration with the European Commission funded project 2 Background and focus of this study Digital Preservation Europe (DPE) conducted some test audits based on the first draft of the RLG-NARA/CRL The German Ministry of Economics and Technology checklist and developed an tool for (BMWi) has financed a long-term project called Innova- trusted digital long-term repositories, called Digital Re- tion with Norms and Standards (INS) since 2006. The pository Audit Method Based on Risk Assessment primary aim is to provide optimal business conditions for (DRAMBORA) in 2007[3]. Within the PLANETS pro- future innovation and to support their ability to act on the ject1, the development of a Preservation Test Bed to global market. In 2008, within the INS initiative, DIN provide a consistent and coherent evidence-base for the and nestor carry out a project targeting at the standardisa- objective evaluation of different preservation protocols, tion of topics relevant to long-term preservation espe- tools and services and for the validation of the effective- cially (1) quality management for trustworthy digital ness of preservation plans takes place. In January 2007 archives, as documented in this study, and (2) the stan- the OCLC/RLG-NARA Task Force, CRL, DCC, DPE dardisation of ingest processes. This project continues and nestor agreed upon a set of so called common prin- the work done in 2007 where the needs for standardisa- ciples, ten basic characteristics of digital preservation tion in digitisation and long-term preservation have been archives [8]. collected and within separate studies, (1) measures The current TRAC checklist is the basis for an ISO stan- within a standardised administration as well as (2) the dardisation effort led by David Giaretta (DCC) and car- usage of persistent identifiers have been investigated. ried out under the umbrella of the OAIS standards family of the Consultative Committee for Space Data Systems The present study analyses several quality management (CCSDS) via ISO TC20/SC13. standards regarding their applicability for the evaluation of trustworthiness of digital archives. It extracts to which The questions that all those standardisation efforts have extent the standardisation of criteria for trustworthy to answer are: digital archives can be based on existing standards and 1. Is a new single standard for trustworthy digital identifies domain specific standardisation needs. archives needed? 2. How does this standard refer to existing stan- Identifying and practising quality measures within a dards? long-term preservation context attracts nationally and 3. Is an evaluation or even a certification of trust- internationally high attention. worthy digital archives desireable and useful? While the amount of digital data explodes and an grow- ing amount of institutions are establishing digital ar- 1.2 Quality management (QM) and standards chives, there is still a deficit in standards and commonly accepted measures used for the development and the Quality of products, processes, and systems is a key quality control during operation of such archives. factor for economical success in an open world. Imple- menting and operating a quality is Internationally there are two ways: first to define cata- vital for many organisations in order to survive on the logues of criteria and second to work out risks potentials market. But also public administrations are interested in based on the specific goals of the considered archives. a more efficient and effective use of revenues resources Thereby the links to existing standards and norms are for public services. Therefore numerous principles, used without defining and specifying the relation to or methods, practices, and techniques have been developed the use of those standards within a long-term preserva- in the last decades. Many of them are consolidated, tion archive. broadly accepted and published in standards. In order to get a first idea of core concepts we refer to the Furthermore it is useful to distinguish between the efforts well known standard ISO 9000. Quality management is towards standardisation and the efforts towards certifica- defined as coordinated activities to direct and control an tion. The latter issue can only be carried out, if reliable organisation with regard to quality. The activities gener- standards, criteria, and most important, appropriate met- ally include the establishment of a quality policy and rics exist. quality objectives, quality planning, quality control, , and quality improvement. These spe- Due to the varying goals and realisations of digital ar- cific activities are the task of a quality management sys- chives it is necessary to identify categories of digital tem. Of course, ISO 9000 also provides a definition of archives that may use the same or similar standards. the term quality. It is defined as the degree to which a set of inherent characteristics fulfils requirements. And a The main focus of this study is to assess the applicability requirement is a need or expectation that is stated, gener- of standards. Certification methods and schemas will be ally implied, or obligatory. subject of a follow-up study in 2009.

11 http://www.planets-project.eu 3 Methodology 10 Mission oft the institution 11 Age, growth, budget of institution 3.1 Identification of relevant quality manage- Information about the digital archive 12 Policies ment standards 13 Growth of digital objects In a first step we identified and characterised QM stan- 14 Financial concept dards that are potentially useful for planning and operat- 15 How can the existence of the digital archive ing trustworthy digital archives. Attributes already de- granted after structural changes in organisation? fined for determining the trustworthiness of digital ar- Quality and security management chives serve as a guideline for selecting a first set of 16 Quality management (yes, no) relevant standards. This first selection provides a refer- 17 Quality management: what is done precisely? ence in the questionnaire in order to find out easier 18 Do you have a quality manager? which standards are concretely known, discussed, or 19 Have you concerned about standards and norms? already applied or refused. Moreover, this set of stan- 20 Have you discussed standards and norms? dards serves as a basis for a deeper analysis of the appli- cability of QM standards in long-term preservation con- 21 Has the applicability of standards been analysed in your institution? sidering the results of the questionnaire. 22 Would you need support and training in order to introduce standards? 3.2 Survey of quality management standards 23 Do you follow standards with a quality or secu- used in long-term preservation rity issue? (followed by a detailed list of selected Second, the questionnaire and survey were designed. We standards from the theoretical analyses and by asked all institutions involved in the 2004 survey on checkboxes indicating the degree of use and attributes and technologies used for setting up digital certification) archives. This survey conducted by the nestor Working 24 Do you follow other standards? Group on Trusted Repository Certification (nestor WG 25 Are you developing software? TDR) finally resulted in the design of the first nestor 26 Do you use a service provider for the operation of catalogue released in June 2006. the digital archive? (relation to provider) 27 Does your service provider perform a quality In addition, institutions that were known to work on management? establishing a digital archive as well as commercial part- ners (e-newspapers, repository services providers) were B Object Management included in the study. 53 institutions representing the digital archive landscape in Germany were asked: libries, Ingest libraries at universities, museums, archives (public bod- 28 Types of objects (carrier, format, content) ies), archives (private, corporate bodies), and commer- 29 Selection criteria (yes, no, planned, published) cial vendors. 30 Do you have formal regulations with producers? 31 Do you have a concept for keeping the quality in The design of the questionnaire should mirror some of the relation with the producers? the criteria in the nestor catalogue as well as make visi- 32 Do you carry out quality control measures for ble those activities that could be interpreted as quality objects and metadata? management although they might not be recognised as Access such by the institution. We asked for the institution‘s 33 Do you know your user community? characteristics as well as for the policy of the digital 34 Have you collected the user community needs? long-term preservation archive and the kind and amount of digital objects hold. Several specific questions focused 35 Do you provide specific interfaces for your us- on the use of standards and quality management. ers? 36 Do you monitor user satisfaction? The 44 questions were the following2: 37 Do you have a concept for keeping the quality in relation to your users?

A Organisation C Infrastructure and Security

1-6 Contact data of responsible manager 38 Have you defined the processes and organisa- Information about the organisation itself tional structures for the operation of your ar- 7 Status of the organisation (public, private) chive? 8 Type of organisation (administration, university, 39 Have you documented the processes and organ- library, archive, museum, …) isational structures for the operation of your 9 Research area (astronomy, biology, chemistry, archive? …)3 3 It was a disadvantage that no formal subject schema 2 Details and the whole questionnaire will be given in the was used here, we oriented on a subject schema of CRL final study report scheduled for November 2009. colleges. 40 Do you have an IT-concept for your institution? stocking conditions for storage media or devices. This 41 Do you have a security concept for your institu- category of standards is out of scope here, since they do tion? not address quality management systems directly. But of 42 Have you documented or contracted the com- course it is one of the task of a QM system to implement mittment to upgrade your hard- and software? and control processes that identify, assess, and apply Trustworthy digital archive such standards. 43 Would the development of a special standard for This considerations lead to a first set of QM related stan- trustworthy digital archives be helpful for your dards that will be investigated in more detail in order to development of a long-term preservation archive? check for applicability in practised. 44 Would you be interested in a certification as trustworthy digital archive? (yes, no, under which 4.2 Survey conditions?) The survey took place during June and July 2008 when the questionnaire was distributed as PDF form and col- lected via email. The survey was restricted to Germany, 3.3 Applicability and practise of quality man- because the financial and time resources were very lim- agement standards ited and the purpose has been to initiate national activi- ties. Having the results of the questionnaire at hand we can continue to analyse our pre-selected standards. Missions, The participants had approximately three to four weeks tasks, and organisational forms of memory organisations time to deliver the answers electronically or via fax. as well as legal and financial constraints will allow us to determine the degree of applicability of QM standards more reliantly. Therefore we have to develop a set of 4.3 Comparison of theoretical and practical re- criteria in order to make the assessment of applicability sults transparent. For example, the size of an organisation or As third step we will compare the more theoretical con- the extent of in-house determines siderations with the answers from the survey. Since this the adequacy of quality standards. Of course, we addi- step is still work in progress, we can only state the basic tionally consider all requirements and constraints con- findings in this paper so far. The final report of the study cerning QM standards explicitly stated by memory or- is scheduled for the end of November 2008. ganisations within the questionnaire and related discus- sions. The goal is to investigate the usability of standards in practise and to figure out the hurdles that prevent institu- tions to effectively use standards. We want to find out 4 Realisation the contexts of the standards and their portability into the area of long-term preservation. 4.1 Identifying relevant quality management standards 5 First results of the study This section illustrates how we have determined a first set of QM standards potentially useful for trustworthy 5.1 Identified quality management standards4 digital archives. Here we present some members of our set of identified Obviously there are several similarities between issues standards and illustrate their potential usefulness for addressed by quality management systems and the attrib- trustworthy archives. utes required for trustworthy digital archives. Let us start with a glance at the popular ISO 9000 family. Assessing the trustworthiness of archives needs a holistic ISO 9000 describes fundamentals and introduces princi- view on the system responsible for the preservation of ples of quality management, which correspond to the information. QM Systems also underpin that all compo- principles and derived criteria as formulated in the nestor nents of an organisation have to be considered in order to catalogue for trustworthy digitals archives in varying improve quality of products, processes, and systems. degrees. Documentation, internal and external transpar- Moreover, both approaches emphasise the task to inves- ency and adequacy are basic principles in this catalogue. tigate and respect customer needs. Therefore, we have For example, ISO’s quality management principles stress taken generic and high-level QM standards into account. the customer focus, the process approach, and leadership. Since the preservation of digital information is highly Leadership means to establish unity of purpose and di- dependent on reliable IT-systems we have also consid- rection of the organisation, which leads to an adequate ered IT-specific standards dealing with the quality of IT organisational form. The process approach facilitates an on an organisational and management level. integrated view to the long-term preservation of informa- Moreover, security is another indispensable attribute for tion. The costumer focus corresponds primarily to the the trustworthiness of archives. Therefore our study also definition of the archive’s designated community. The comprises standards that are mainly focussing on the ISO standard also underpins the value of documentation. management of IT-systems security. Documentation enables communication of intent, both Additionally, there are many specific quality standards available. They generally concentrate on distinct charac- 4 teristics of products or processes like the operating and A first report for this phase of the study is scheduled for the end of August. internally and externally, and consistency of action, and sons may constrain the practical applicability. The last it serves as a mean of traceability. ISO 9000 also pro- phase of this study will cover this issue. vides a consistent set of definitions for terms relating to quality management and introduces different types of 5.2 Survey results documents used in the context of quality management. Based on the fundamentals of ISO 9000 another member From 53 distributed questionnaires we received 17 an- swers that could seriously be considered for analysis. So of the family, namely ISO 9001, defines requirements for a quality management system where an organisation this study cannot be regarded as highly representative needs to demonstrate its ability to provide products that and comprehensive. It has to be interpreted as a first step into a deeper analysis on the transferability of methods fulfil customer and applicable regulatory requirements and aims to enhance customer satisfaction. Audits are and standards from different economically more impor- used to determine the extent to which these requirements tant and dominant branches to an economic niche: digital long-term preservation, well knowing of it’s raising are fulfilled. Audits can be conducted internally or exter- nally (formal and informal). Guidance for auditing can importance. be found in ISO 19011. With the help of a certificate an Nevertheless, we did receive important feedback from organisation can contribute to external transparency and increase confidence in its capabilities. those who where simply not able to answer the question- Maturity models are another category of standards that naire because they had not proceeded very far in estab- lishing a digital archive. This was the case especially in are useful for quality management. They define a set of attributes that facilitate to find out the maturity of an one of the museums we asked, where the superior or- organisation to fulfil certain tasks. CMMI (Capability ganisation, the public body in charge of the museum, has 5 not yet recognised a preservation of the digital assets as Maturity Model Integration) is a popular example, which has its origin in the evaluation of software subcon- an important issue to save cultural heritage and therefore tractors. CMMI now offers an extensive framework for limited the financial contribution to the basic function of the museum. Our conclusion from this feedback is, that process improvement and for benchmarking organisa- tions mainly with the focus on development projects. quality management as well as long-term preservation Despite this project oriented view, we have recognised has not reached public awareness and led to action yet. Only few stakeholders in long-term preservation have useful concepts and elements. CMMI also considers cross-project organisational aspects and, like ISO 9000, perceived the importance of standards for quality man- complies with the process oriented approach. Especially, agement, processes, and security for the preservation task so far. CMMI stresses the institutionalisation of processes and provides generic goals and practices for the management of processes, which includes for example defining, plan- 15 out of 17 institutions were public bodies. Most (7) of those belong to a university or research institution, 5 are ning, implementing, monitoring, and controlling of proc- esses; planning of processes also covers the provision of libraries, 4 belong to an administration, 3 are archives, adequate resources like funding, skilled people, or ap- and 3 data centres. We received only 2 responses from commercial institutions, although we asked 14 . propriate tools. CMMI additionally addresses a range of specific issues like requirements development, require- ments management, or risk management as well as proc- Asked for the superior mission of their institution most of them identified the tasks preservation/conservation, ess and product quality assurance. CMMI also describes procedures for internal and external assessments. provision and making objects acessible as key issues for Information security, primarily in the area of digital their institution. From 17 institutions, 9 have defined goals and policies for their digital archive and its opera- information, is another prerequisite for trustworthiness. Information security needs to be managed like quality tion, 5 of those have even published their policies, and processes. Information is the core product of an whereas 2 institutions have no policy in place and 7 have only planned to compile a digital preservation policy. archive. Fortunately, we can refer to already existing standards especially to the ISO 27000 series. ISO 27000 (still under development) specifies the fundamental prin- To the question on the existence of a financial concept to the long-term provision of digital objects, 10 institutions ciples, concepts, and vocabulary for the ISO 27000 se- ries. ISO 27001 defines the requirements for an Informa- gave a positive answer, 5 denied to have one. However, tion Security Management System (ISMS). ISO 27002 long-term in this sense corresponds to time scales be- tween 2 years (3 institutions), 3 years (1 institution), and provides code of practices, for example in the areas of security policies, organisation of information security, 5 years (5 institutions). Only one participant has a 10 access control, information security incident manage- year future financial concept in place. ment, and business continuity management. Procedures for certification and self assessment are also addressed Asked, how can the existence of the digital archive be by this series of standards. granted after structural changes in organisation, most answers argued that this concept and question are irrele- Of course, we have to bear in mind that these potentially useful standards are not primarily designed for memory vant for public administration. organisations and for digital long-term preservation. Another important response revealed, that primarily Their generosity, underlying design goals, or other rea- public body institutions didn’t recognise an advantage for themselves, their services, and customers in being 5 http://www.sei.cmu.edu/cmmi certified for ISO 9000 or even as trustworthy digital developed software solution (only 9 documented it). This archive. The portability of quality management standards fits into the overall picture that long-term preservation is to the procedures and services in public administration is always bound to a designated community and therefore considered as hardly possible. Often the enormous com- to very community specific needs. 8 out of 15 answered plexity of standards is seen as main barrier to comply to use a service provider, either an external with a private with them completely. Instead, standards are (mis-)used contract or an administrative contract, for software de- as guidelines and their principles applied to selected velopment, 7 don’t. workflows and processes: documentation, tranparency, quality control of ingested objects. An IT-concept as well Another question looked into quality management of the as a security concept has been introduced into most of service provider. Here 4 institutions answered that their the institutions. Summarising the answers to those ques- service provider perform a quality management, 1 an- tions: most institutions have already thought about qual- swered ‘no’ and 5 didn’t know that. Only 1 institution ity management, discussed the applicability of standards mentioned ITIL as standard in use at the service provider and elements derived from those standards, and follow for software development. their own interpretation of quality control and manage- ment. The study mirrored a strong demand for deeper The type of digital objects that the interviewed institu- and broader information on standards as well as support tions preserved varies from pure text formats via video and training during the introduction of standards. and audio formats to software and interactive multime- dia. In fact, there has been collected an significant Surprisingly only 2 out of 16 institutions had appointed a amount of objects, whose only chance to survive is to be quality manager. maintained in a digital preservation archive using either migration or emulation as archiving method to be avail- Looking into the standards used, 12 institutions answered able and interpretable in future. that they comply with standards, 3 don’t. In detail it looks as follows: Regarding the selection process of objects 13 participants stated to have selection criteria in place, only 3 of them ISO 9000 1 (full) published. All of them document in one or another way ISO/IEC 200006 1 (full) formal arrangements with their producers, either in form ITIL7 3 (partially) of legal regulations, frame contracts, formal license V-Modell8 2 (mostly) agreements or deposit contracts. MoReq9 1 (full) 1 (partially) Most of the institutions (11 out of 15) have a concept in DOMEA10 1 (full) place for keeping or improving their relation to their 2 (mostly) producers. 1 (partially) DINI Certificate11 5 (full) A quality control of objects and metadata is carried out 1 (mostly) by 14 institutions, just 1 stated ‘no’. 2 (partially) ISO 1540812 1 (partially) Looking into the usage aspects, most institutions know BSI13 Standard 100-3 1 (partially) their user community and half of the institutions have BSI14 Grundschutzka- 2 (full) already surveyed the specific demands of their user talog 2 (mostly) group. They use it to provide user group specific access 2 (partially) to the digital objects. Quality can often be measured by measuring the satisfaction of the users. 6 institutions BSI Grundschutzzerti- 1 (partially) stated to measure the user satisfaction, 9 stated ‘no’. fikat Nearly one third (5) of the participants have a concept in place to continuously improve the relationship to their One essential part of the survey was the investigation of users. habits regarding digital archiving systems. As we antici- pated, most, 13 out of 17, institutions decided for a self- Regarding aspects like infrastructure and security, 11 institutions stated to the question if they had defined the 6 process and organisational structures of their institution: http://www.iso.org/iso/catalogue_detail?csnumber=4133 11 designed, 3 specified, 5 realised, 4 published, 1 evalu- 2 ated. 10 have even documented their structures, whereas 7 See http://www.itil.org 5 have no documentation. 8 Please refer to KBSt at http://www.kbst.bund.de 9 http://www.moreq2.eu The last two questions tested the readiness to certify 10 See KBSt: Federal Government Co-ordination and themselves as trustworthy digital archive. Here we re- Advisory Agency ceived interesting answers. Most institutions refused to 11 See www.dini.de [21] answer ‘yes’ or ‘no’. Their willingness to become a certi- 12 See http://www.iso15408.net fied trustworthy digital archive strongly depends on the 13 BSI : Federal Office for Information Security costs (time, effort, and money) for preparing and conduc- 14 tion the certification. This attitude differs from that in See http://www.bsi.bund.de/english/topics/topics.htm different communities where e.g. an ISO 9000 certifica- [7] OCLC und Center for Research Libraries (2007): tion is the basis for a successful business. Trustworthy Repositories Audit and Certification: Crite- ria and Checklist. : http://www.crl.edu/PDF/trac.pdf

First conclusions [8] OCLC/RLG-NARA Task Force on Digital Reposi- tory Certification; CLR; DCC; DPE und nestor (2007): Summarising the first results, we regard the adoption of Core Requirements for digital Archives (Common Prin- standards for managing quality, processes, and security ciples). : as an important factor to establish trustworthy digital http://www.crl.edu/content.asp?l1=13&l2=58&l3=162&l archives. The first results from the survey indicate that 4=92 also the participants of this study, generally spoken, see the high importance of such standards for their local [9] RLG NARA Task Force on Digital Repository Certi- institutions. We also recognized severe problems in us- fication (2005): Audit Checklist for Certifying Digital ing those standards in practice. Apparently standards are Repositories, RLG, NARA Task Force on Digital Re- applied mostly in the sense of guidelines. pository Certification, Mountain View, CA.

The problems arising while transferring standards into [10] RLG Working Group on Digital Archive Attributes new domains like long-term preservation can be traced (2002): Trusted Digital Repositories: Attributes and back to the heavy complexity of those standards that Responsibilities, RLG; OCLC, Mountain View CA.: affect the understanding of the standards itself in a nega- http://www.rlg.org/longterm/repositories.pdf tive way. Further reasons and potential solutions to the problem have still to be analysed in the final part of this [11] Task Force on Archiving Digital Information study. (1996): Preserving Digital Information, Commission on Preservation and Access, Washington D.C. The first impression from the study leads to the finding that there is a need for a specific standard covering all [12] ISO 9000:2000 Quality management systems – relevant aspects of a trustworthy digital repository. Fundamentals and vocabulary

References [13] ISO 9000:2005 Quality management systems – Fundamentals and vocabulary [1] Bundesamt für Sicherheit in der Informationstechnik (2005): V 2.3. [14] ISO 9001:2000 Quality management systems – Requirements [2] ISO14721:2003 Space data and information transfer systems – Open archival information system – Reference [15] ISO 19011:2002 Guidelines for quality and/or model; see also Blue Book: environmental management systems auditing http://www.ccsds.org/docu/dscgi/ds.py/Get/File- 143/650x0b1.pdf [16] ISO/IEC FCD 27000 Information technology – Security techniques – Information security management [3] Digital Curation Centre und Digital Preservation systems – Overview and vocabulary Europe (2007): DCC and DPE Digital Repository Audit Method Based on Risk Assessment, V1.0.: [19] ISO/IEC 27001:2005 Information technology – http://repositoryaudit.eu/download Security techniques – Information security management systems – Requirements [4] Erpanet Project (2003): Risk Communication Tool.: http://www.erpanet.org/guidance/docs/ERPANETRiskT [20] ISO/IEC 27002:2005 Information technology – ool.pdf Security techniques – Code of practice for information security management [5] McGovern, Nancy Y.; Kenney, Anne R.; Entlich, Richard; Kehoe, William R. und Buckley, Ellie (2004): [21] Deutsche Initiative für Netzwerkinformation: DINI Virtual Remote Control: Building a Preservation Risk Certificate Document and Publication Services 2007 Management Toolbox for Web Resources, D-Lib Maga- [Version 2.0, September 2006]: http://edoc.hu- zine 10 (4).: berlin.de/series/dini-schriften/2006-3-en/PDF/3-en.pdf http://www.dlib.org/dlib/april04/mcgovern/04mcgovern.

[6] nestor Working Group on Trusted Repositories Certi- fication (2006): Criteria for Trusted Digital Long-Term Preservation Repositories – Version 1 (Request for Pub- lic Comment) English Version, Frankfurt am Main.: http://nbn-resolving.de/urn:nbn:de:0008-2006060703